Bug 741243 - VUL-1: CVE-2012-0031: apache2: possible crash on shutdown due to flaw in scoreboard handling
VUL-1: CVE-2012-0031: apache2: possible crash on shutdown due to flaw in scor...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Roman Drahtmueller
Security Team bot
maint:released:sle11-sp1:45334 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-13 12:43 UTC by Matthias Weckbecker
Modified: 2019-12-17 16:09 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Try to reproduce this bug ... (13.45 KB, text/plain)
2012-02-16 07:27 UTC, Bruce Ma
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2012-01-13 12:43:56 UTC
"Apache 2.2 webservers may use a shared memory segment to share child process status information (scoreboard) between the child processes and the parent process running as root. A child running with lower privileges than the parent process might trigger an invalid free in the privileged parent process during parent shutdown by modifying data on the shared memory segment.",

http://www.halfdog.net/Security/2011/ApacheScoreboardInvalidFreeOnShutdown/

Reproducer:

http://www.halfdog.net/Security/2011/ApacheScoreboardInvalidFreeOnShutdown/LibScoreboardTest.c
Comment 1 Roman Drahtmueller 2012-02-01 11:40:37 UTC
CVE-2012-0031

upstream change: https://svn.apache.org/viewvc?view=revision&revision=1230065

in package updates: 
avoid binary incompatibility by leaving struct global_score intact. 
Therefore, no magic numbers increase for modules.
Comment 2 Bernhard Wiedemann 2012-02-14 05:00:26 UTC
This is an autogenerated message for OBS integration:
This bug (741243) was mentioned in
https://build.opensuse.org/request/show/104860 Evergreen:11.2 / apache2
Comment 3 Bruce Ma 2012-02-16 07:24:25 UTC
Hi:

I am testing this case, try to reproduce the bug.
I follow the url below:
http://www.halfdog.net/Security/2011/ApacheScoreboardInvalidFreeOnShutdown/

using root user to "gdb --pid <a apache child>", then " set *(int*)($esp+4)="/srv/www/htdocs/LibScoreboardTest.so" ", got 
(gdb) set *(int*)($esp+4)="/srv/www/htdocs/LibScoreboardTest.so"
Cannot access memory at address 0x5421b7c
(gdb) 

Are there any other way to reproducer this bug ?
Thank you :)
Comment 4 Bruce Ma 2012-02-16 07:27:30 UTC
Created attachment 476423 [details]
Try to reproduce this bug ...
Comment 5 Marcus Meissner 2012-02-16 08:07:00 UTC
The reproducer will likely only work on i586, if at all due to 32bit register usage. So testing on i586 would be sufficient.

As it is difficult this way, security does no require reproducing this bug.
Comment 6 Bruce Ma 2012-02-17 02:59:02 UTC
OK, I got it. I will just try one more time.
Thank you.
Comment 7 Swamp Workflow Management 2012-02-18 08:25:53 UTC
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-utils, apache2-worker, libapr1, libapr1-32bit, libapr1-debuginfo, libapr1-debuginfo-32bit, libapr1-debugsource, libapr1-devel, libapr1-devel-32bit
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 8 Bernhard Wiedemann 2012-02-19 19:00:23 UTC
This is an autogenerated message for OBS integration:
This bug (741243) was mentioned in
https://build.opensuse.org/request/show/105883 Evergreen:11.1 / apache2
Comment 9 Bernhard Wiedemann 2012-02-20 20:00:24 UTC
This is an autogenerated message for OBS integration:
This bug (741243) was mentioned in
https://build.opensuse.org/request/show/106112 Evergreen:11.1 / apache2
Comment 10 Matthias Weckbecker 2012-02-24 11:32:33 UTC
updates were released a while ago. resolved / fixed
Comment 11 Swamp Workflow Management 2012-02-28 11:10:28 UTC
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-event-debuginfo, apache2-example-certificates, apache2-example-pages, apache2-itk, apache2-itk-debuginfo, apache2-prefork, apache2-prefork-debuginfo, apache2-utils, apache2-utils-debuginfo, apache2-worker, apache2-worker-debuginfo
Products:
openSUSE 11.4 (debug, i586, x86_64)
Comment 12 Swamp Workflow Management 2012-02-28 12:08:35 UTC
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 13 Swamp Workflow Management 2012-03-06 16:55:45 UTC
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker
Products:
SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 14 Swamp Workflow Management 2013-03-15 13:00:11 UTC
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker
Products:
SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64)
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
Comment 17 Swamp Workflow Management 2013-07-02 12:04:59 UTC
Update released for: apache2, apache2-devel, apache2-doc, apache2-example-pages, apache2-leader, apache2-metuxmpm, apache2-perchild, apache2-prefork, apache2-worker, libapr0
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)